Skip to main content

Snowflake

Introduction#

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only they know or have access to. Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Acceptto™, as a SAML provider, improves the user login experience for Snowflake users with its convenient SSO-MFA solution.

Pre-Requisites#

  1. An Acceptto account with a configured Identity Provider and LDAP Agent (See this page for instructions).
  2. A Snowflake user account with ACCOUNTADMIN role.
  3. A user with administrative privileges for the Acceptto Cloud dashboard.

Configure Snowflake as a Service Provider#

  1. Download the SAML metadata and certificate for your organization from Acceptto.

    Metadata Download at https://sso.acceptto.com/<myorganization>/saml/download/metadata or view at https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate Download at https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. Log into your Snowflake instance as an administrator. Switch the user role from SYSADMIN (Default) to ACCOUNTADMIN using the Switch Role menu located under your account name, on the right-hand side of the screen.

    Snowflake sign in

  3. Navigate to the Worksheets section and paste the following query with information acquired earlier from Acceptto.

    use role accountadmin;CREATE SECURITY INTEGRATION AccepttoINTEGRATION    TYPE = SAML2    ENABLED = TRUE     SAML2_ISSUER = “https://sso.acceptto.com/<myorganization>/saml”    SAML2_SSO_URL = “https://sso.acceptto.com/<myorganization>/saml/auth”    SAML2_PROVIDER = Custom    SAML2_X509_CERT = “copy/paste Acceptto certificate value within Begin and    End title”     SAML2_SP_INITIATED_LOGIN_PAGE_LABEL = AccepttoSSO    SAML2_ENABLE_SP_INITIATED = TRUE;

    Snowflake sign in

  4. Click on the Run button and execute the query.

  5. Delete the previous query and run the below one to enable SSO through the Snowflake login page.

    use role accountadmin;alter account set sso_login_page = true;

  6. We will now create users who are going to log into Snowflake. Navigate to the Account section.

    Snowflake sign in

    Select the Users tab and click on the Create button.

    Snowflake sign in

  7. In the Create User dialog box on the General tab, fill the Username and Password fields and uncheck Force Password Change. Click on Next.

    Snowflake sign in

  8. On the Advanced tab, fill the Login Name and Email fields. Click on Next (Note that your login name and email address should be the same with your username and email address on the directory service).

    Snowflake sign in

  9. On the Preferences tab, select the user’s role in the Default Role dropdown and click Finish.

    Snowflake sign in

  10. It is recommended by Snowflake to unset a new user password for login through SSO. Go to the Worksheets section and run the following command:

    alter user <name> unset password;

Acceptto SAML Configuration as Identity Provider (IdP)#

  1. Log into the Acceptto Dashboard with an administrative account and go to the Applications.

  2. Create a new application by selecting the Create New Application.

    Snowflake sign in

  3. In the New Application form, enter the following values under the General tab.

    • Name - The application name displayed in the admin panel and application portal and used for push notifications and audit logs (e.g. Snowflake).
    • Type - Select "SAML Service Provider" from the options.
    • Out of Band Methods - Select the allowed methods for approving MFA requests
    • Message for MFA Requests - Enter the user-facing message for Push, SMS, and email MFA requests (optional)

    Snowflake sign in

  4. Under the SAML Service Provider Configuration tab, enter the following values:

    • Issuer or Entity ID – The Issuer/EntityID of your Snowflake instance. If your account is in US West: https://<account_name>.Snowflakecomputing.com If your account is in any other Snowflake Region: https://<account_name>.<region_id>.Snowflakecomputing.com
    • Sign in URL - Same as Issuer or Entity ID.
    • NameID Format - Unspecified.
    • Name Identifier - Email.
    • ACS URL - The Assertion Consumer Service URL of your Snowflake instance. If your account is in US West: https://<account_name>.Snowflakecomputing.com/fed/login If your account is in any other Snowflake Region: https://<account_name>.<region_id>.Snowflakecomputing.com/fed/login
    • Single Logout URL - The Single Logout URL of your Snowflake instance. If your account is in US West: https://<account_name>.Snowflakecomputing.com/fed/logout If your account is in any other Snowflake Region: https://<account_name>.<region_id>.Snowflakecomputing.com/fed/logout

    Snowflake sign in

  5. Click on Save.

Test Your Setup#

  1. Go to your Snowflake instance and select Sign in using AccepttoSSO.

    Snowflake sign in

  2. You will be redirected to the Acceptto SSO page.

    Snowflake sign in

  3. After successful authentication, you’ll see the Acceptto MFA options. Select the desired method of authentication.

    Snowflake sign in

  4. After approving the authentication request, you will be logged into your Snowflake workspace.

Support#

If you require assistance, please email us at support@acceptto.com

Sales#

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer#

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.